|Publication number||US8064597 B2|
|Application number||US 11/948,352|
|Publication date||Nov 22, 2011|
|Filing date||Nov 30, 2007|
|Priority date||Apr 20, 2007|
|Also published as||CA2684657A1, CA2684657C, CN101690287A, CN101690287B, EP2140717A1, EP2140717B1, US20080260149, WO2008128873A1|
|Publication number||11948352, 948352, US 8064597 B2, US 8064597B2, US-B2-8064597, US8064597 B2, US8064597B2|
|Inventors||Christian M Gehrmann|
|Original Assignee||Telefonaktiebolaget Lm Ericsson (Publ)|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (39), Non-Patent Citations (6), Referenced by (11), Classifications (13), Legal Events (3)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application claims priority under 35 U.S.C. §119(e) from the U.S. Provisional Patent Application Ser. No. 60/913,090, which was filed on 20 Apr. 2007 and entitled “OTA Soft SIM Credential Provisioning.”
1. Technical Field
The present invention generally relates to provisioning mobile devices, and particularly relates to facilitating over-the-air activation of mobile devices through the use of preliminary subscription identity information maintained in a centralized device directory that is accessible by one or more network operators.
Efficient equipment manufacture, distribution, and activation are key enablers for effectively exploiting the range of business opportunities provided by the continuing revolution in wireless communications. The existing approaches to “provisioning” user equipment with the necessary subscription credentials represent one impediment to more efficient operations.
For example, one conventional approach relies on selling or otherwise distributing user equipment with installed Subscriber Identity Modules, SIMs. Each SIM comprises a tamper-resistant circuit module, commonly embodied in a small, card-like form factor, where the circuit module stores credential information for a specific network operator. In other words, the user equipment is tied to a particular network operator by virtue of the preprogrammed SIM, and the subscriber calls or otherwise contacts the network operator to provide billing information, etc. In response, the network operator marks that SIM as active in one or more subscriber databases, thereby making the user equipment operational.
Other approaches to automating the provisioning process, at least partially, have been proposed. Examples include U.S. Publication 2005/0079863 to Macaluso, which discloses a form of over-the-air provisioning (commonly noted as “OTA” provisioning in the relevant literature); U.S. Publication 2007/0099599 to Smith, which discusses dynamic provisioning of wireless services and initial provisioning via access to an internet database; U.S. Pat. No. 6,980,660 to Hind, which discloses methods for initializing wireless communication devices using an enterprise database; and U.S. Pat. No. 6,490,445 to Holmes, which discloses the use of temporary access information in wireless equipment, to allow a form of restricted network access for over-the-air provisioning.
As a general proposition, however, it seems that the complexity of the overall problem framework has prevented the past approaches from providing an overall system and method that simplifies manufacturing, sales, and, ultimately, registration of mobile devices with regard to secure over-the-air provisioning.
Methods and systems taught herein allow mobile device manufacturers to pre-configure mobile devices for subscription with any network operator having access to a centralized device directory server. In at least one embodiment, mobile devices are provisioned with temporary device identifiers, which are also held in a centralized device directory server that is accessible to any number of network operators. Advantageously, a mobile station can be granted temporary access through any participating network, and that access thus is used to obtain permanent subscription credentials, via cooperation with a credential server associated with the network operator that will issue the permanent subscription credentials.
Accordingly, a method of facilitating over-the-air mobile communication device activation comprises, at a centralized device directory server, storing a device record that comprises preliminary subscription credential information for a mobile device, and sending at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device. The initial provisioning party may be, for example, a mobile device manufacturer. The method continues with receiving a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly linking network address information of the credential server to the device record.
The method continues with receiving a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information. In response to the validation request, the directory server sends an authentication vector based on a secret key included in the preliminary subscription credential information to the authentication server, if the preliminary subscription credential information for the mobile device is valid. The method also includes the directory server subsequently receiving a credential server address request from the mobile device, and sending network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
In another embodiment, a system for facilitating over-the-air mobile communication device activation includes a centralized device directory server. The directory server in this embodiment comprises one or more processing circuits configured to store a device record that comprises preliminary subscription credential information for a mobile device, and to send at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device. The directory server is further configured to receive a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly link network address information of the credential server to the corresponding device record.
Continuing, the directory server is configured to receive a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information, and to send an authentication vector based on a secret key included in the preliminary subscription credential information to the authentication server, if the preliminary subscription credential information for the mobile device is valid. Still further, the directory server is configured to receive a credential server address request from the mobile device, subsequent to the mobile device gaining temporary access to the wireless communication network via the authentication vector, and to correspondingly send network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
In one or more of the above embodiments, the preliminary subscription credential information, also referred to as preliminary subscription identities, comprise pairings of secret keys and Preliminary International Mobile Subscriber Identities, abbreviated as PIMSIs. Thus, the device directory stores, for example, a batch of PIMSI and secret key pairs, and device manufacturers provision individual, mobile devices with individual PIMSI and secret key pairs.
Of course, the present invention is not limited to the above features and advantages. Indeed, those skilled in the art will recognize additional features and advantages upon reading the following detailed description, and upon viewing the accompanying drawings.
Better appreciating the flexibility and convenience of the activation system and method contemplated herein begins with a more detailed understanding of the directory server 10, in accordance with the example details illustrated in the figure. It includes or is associated with a data store 12, and includes one or more processing circuits 14. The processing circuits 14 include communication interfaces 16 and preliminary subscription processing circuits 18 (“subscription processing circuits 18”). The processing circuits 14 comprise hardware, software, or any combination thereof. For example, the processing circuits 14 may include one or more microprocessor-based circuits, which are configured to carry out the functions described herein by way of executing stored program instructions. Those instructions may be embodied as a computer program product retained, for example, in a computer-readable medium of the data store 12, or may be held in other memory/storage devices included in or associated with the directory server 10.
Other information stored at the directory server 10 includes a batch 20 of device records 22. Device records 22-1 through 22-N are illustrated, as an example. As shown in
According to this basic setup, each device record 22 represents temporary subscription credentials for one mobile device. The directory server 10 is configured in one or more embodiments to generate batches 20 of device records 22, which can then be distributed to any number of parties involved in initially provisioning mobile devices. Typically, device records 22 are distributed to one or more mobile device manufacturers. In at least one embodiment herein, different batches 20 of device records 22 are generated for different manufacturers. For example, assuming that the temporary device identifier 24 is generated as a number, e.g., a Preliminary International Mobile Subscriber Identity (PIMSI), different ranges of numbers may be used for different device manufacturers. Doing so permits network elements involved in later over-the-air activation of a mobile device to determine the device's manufacturer from the range value of the temporary device identifier 24 reported by the mobile device.
Now, referring back to
Preferably, as shown in
In any case, an initial provisioning server 30 thus loads into a given mobile device 32, all or part of a device record 22, where that device record 22 is also held by the directory server 10. In this manner, a subscriber's later attempt to activate the mobile device 32 may be predicated on verifying the device record information as stored in the mobile device 32 against the corresponding device record information as stored in the directory server 10.
Regardless, the directory server 10 generates individual device records 22, each including a temporary device identifier 24 and a secret key 26 (denoted as “Kp”) as a pair. As noted, the temporary identifier 24 may comprise a PIMSI. In at least one embodiment, the PIMSI is equal to the UMTS/GSM IMSI number, such that standard mobile terminal authentication procedures can be used for the PIMSI. The directory server 10 thus sends PIMSI/Kp pairs to initial provisioning servers 30 as the device records 22. For example, multiple device records 22 are sent as PIMSI1/Kp1, PIMSI2/Kp2, . . . , and so on. The directory server 10 also may send its network address information, or the initial provisioning server 30 may be configured with that information.
In more detail, the initial provisioning server 30 may be configured to generate a public/private key pair, denoted as PuK/PrK, using secure processing. In such embodiments, the preliminary subscription information for device record 22-x thus would include PuKx, PrKx, Kpx, and the temporary device identifier 24 (e.g., PIMSIx). The initial provisioning processor 30 loads this information in the trusted module 44 of the mobile device 32. The initial provisioning server 30 also loads, as mentioned, a listing of network operators that support use of the preliminary subscription information, e.g., a listing of network operators that will accept the use of PIMSIs for gaining temporary network access. The initial provisioning server also may load network address information for the directory server 10.
More generally, it should be understood that, in one or more embodiments, the trusted module 44 of the mobile device 32 is provisioned with the temporary device identifier 24 (e.g., PIMSIx) the secret key Kpx, and the public/private key pair PuKx/ PrKx(for later use in over-the-air activation of the mobile device 32), and that all such values may be provided by the initial provisioning server 30, or that one or more of them may be self-generated by the mobile device 32. For example, in at least one embodiment, the mobile device 32 is configured to generate the public/private key pair PuKx/PrKx. The provisioning information also generally includes a listing of network operators that support temporary wireless communication network access via use of the temporary device identifier 24, and may optionally include network address information for the directory server 10.
At some later time, a given mobile device 32 is sold to or otherwise targeted for association with a subscriber of a given network operator. As an example illustration,
Thus, a PDI corresponding to a particular temporary device identifier 24 is associated with or otherwise linked to data for a particular subscriber at the credential server 60-x. This subscription data, which function as subscription credentials, also may include secret subscription values, like a UMTS “master key.” In any case, processing continues with the credential server 60-x sending PDI information to the directory server 10 (Block 112). Receipt of that PDI information causes the directory server 10 to associate or otherwise link the device records 22 corresponding to the received PDI information with the credential server 60-x.
The directory server 10 therefore is configured to receive a PDI from the credential server 60-x, and, in response, to link the device record 22 corresponding to the PDI with the credential server 60-x. As one example, the PDI is a one-way hash of a PIMSI, and the device directory 10 processes the PDI to obtain the corresponding PIMSI, and then uses the recovered PIMSI to index into one or more batches 20 of stored device records 22, to identify the device record 22 that matches the recovered PIMSI.
Once the correct device record 22 is identified, the directory server 10 links it to the credential server 60-x, e.g., it stores network address information for the credential server 60-x in the identified device record 22, or causes that device record 22 to “point” to the credential server 60-x. For each such linked PDI-device record 22, the credential server 60-x receives a second secret key to the credential server 60-x from the directory server 10 (Block 114). That second secret key is denoted as Kt to indicate its temporary status. The directory server 10 derives from the secret key Kp of the involved device record 22. For example, Kt =F(Kp), where “F” denotes a suitable cryptographically strong one-way function. The credential server 60-x stores this temporary key Kt with the rest of the subscriber data associated with the given PDI.
In the context of the above preliminary subscriber registration, given mobile device manufacturers may send PDIs and corresponding device directory address information directly to network operators. For example, an initial provisioning server 30 or other manufacturer's computer system may be communicatively coupled to the credential servers 60 of one or more network operators. Such communications allow mobile device manufacturers to link particular mobile devices 32 to particular network operators prior to any retail sales.
Additionally or alternatively, individual mobile devices 32 are shipped to their respective purchasers. The PDIs and device directory associations for those mobile devices 32 are provided to those purchasers, such as in written or electronic form accompanying the mobile devices themselves. Thus, once an end-user buys or otherwise obtains a particular mobile device 32, that end-user registers the PDI and device directory information of that mobile device 32 with the credential server 60 belonging to a network operator of choice.
At Step 2, the initial provisioning server 30 generates a public/private key pair, PuKx/PrKx, and initially provisions an individual mobile device 32-x by loading it with PuKx/PrKx, Kpx, PIMSIx, network address information for the directory server 10, and a listing of participating network operators. Alternatively, the mobile device 32-x self-generates PuKx/PrKx, rather than those values being generated by the initial provisioning server 30.
At Step 3, an end-user or other subscriber associated with the mobile device 32-x submits subscriber registration data to the credential server 60. As an example, the credential server 60 receives subscriber identity and billing information, along with PDIx, and network address or other identifying information for a directory server 10.
At Step 4, the credential server 60 submits PDIx to the directory server 10, thereby causing the directory server 10 to process PDIx and identify the corresponding device record 22-x, and link that device record 22-x to the submitting credential server 60.
At Step 5, the directory server 10 returns a temporary secret key, Ktx, to the credential server 60.
At Step 6, the mobile device 32-x contacts a wireless communication network 70 and provides it with its temporary device identifier 24, e.g., with PIMSIx. More particularly, the mobile device 32-x may be configured to attempt to register with the wireless communication network 70 using standard GSM/UMTS registration procedures in which it provides its PIMSIx to the network 70 as part of registration. Further, the mobile device 32-x may be configured to determine that the network 70 is appropriate for such registration attempts, based on its stored listing of network operators that support use of temporary device identifiers 24 as a basis for gaining long-term subscription credentials via over-the-air provisioning.
Also, as part of Step 6, the network 70 passes the PIMSIx obtained from the mobile device 32-x to an authentication server 72. The authentication server 72 may be, for example, a Visitor Location Register (VLR) and/or a Home Location Register (HLR) associated with the network 70 or with a home network of a network operator associated with the mobile device 32.
At Step 7, the authentication server 72 recognizes the PIMSIx as a temporary identifier, and passes the PIMSIx to the appropriate directory server 10. In one or more embodiments, the authentication server 72 is configured to determine the network address information for the directory server 10 from the PIMSIx received from the mobile device 32-x.
At Step 8, the directory server 10 finds the correct data record 22-x corresponding to the PIMSIx as received from the authentication server 72. As part of this processing, the directory server 10 may determine the validity of the PIMSIx by checking whether the PIMSIx is blocked, expired, or has otherwise been used more than an allowed number of times. Thus, if the PIMSIx exists within the batch(es) 20 of device records 22 stored at the directory server 10 and is valid, the directory server 10 calculates a temporary authentication vector for the mobile device 32-x and returns the authentication vector to the authentication server 72.
In one or more embodiments, the device directory 10 is configured to derive the authentication vector using the secret key Kpx stored in the device record 22-x for the mobile device 32-x. In this regard, the device directory 10 can be configured to generate the authentication vector using standardized 3rd Generation Partnership Project (3GPP) procedures, such as the MILENAGE algorithm. Doing so increases interoperability. Regardless, Step 8 is shown continuing across the authentication vector 72, indicating that the authentication vector is passed back to the network 70.
At Step 9, the network 70 uses the authentication vector to grant temporary access, e.g., temporary packet data access, to the mobile device 32-x. As one example, the authentication vector is valid for a limited amount of time, e.g., one minute, and/or is valid for a very limited amount of data transfer.
At Step 10, the mobile device 32-x uses its temporary access to communicate with the directory server 10. In this regard, it was noted that network address information for the directory server 10 can be included as part of the mobile device's initial provisioning information. Thus, the mobile device 32-x can use that stored information to contact the appropriate directory server 10 after gaining temporary access. While the diagram appears to show communication directly between the mobile device 32-x and the directory server 10, those skilled in the art will appreciate that the link may be indirect, and, in general, includes an over-the-air connection being supported by the network 70 according to the temporary authentication vector. With its communicative link to the directory server 10, the mobile device 32-x requests that the directory server 10 provide it with the credential server address information linked at the directory server 10 to its PIMSIx.
At Step 11, the directory server 10 returns the credential server address information to the mobile device 32-x.
At Step 12, the mobile device 32-x generates a new temporary key, Ktx. In at least one embodiment, the mobile device 32-x derives Ktx from its secret key Kpx.
At Step 13, the mobile device 32-x sends a credential request to the credential server 60, as identified by the credential server address information returned to the mobile device 32-x from the device directory 10. (Again, such communications generally are indirect, with at least one part of the link supported by an over-the-air connection made through the network 70.) In one embodiment, this request is protected using the temporary key Ktx, and, possibly, a Message Authentication Code (MAC). In another embodiment, the connection is protected by the temporary key Ktx and a transport security protocol, such as TLS. Regardless, in at least one embodiment, the request includes the mobile device's public key PuKx, and the PDIx corresponding to the mobile devices's PIMSIx.
At Step 14, the credential server 60 creates permanent (long-term) subscription credentials for the mobile device 32. For example, if may generate a Soft Subscriber Identity Module (SSIM) or other form of software-based authorization information. Such data may include both SIM credentials and SSIM parameters. SSIM parameters may include SIM algorithms having specific applicability to the network operator associated with the credential server 60.
At Step 15, the credential server 60 encrypts the permanent subscription credentials using the public key of the mobile device 32, PuKx, and sends them to the mobile device 32. In another embodiment, the credential server uses the temporary key, Ktx, to encrypt the permanent subscription credentials. Doing so, however, raises a possible security implication because Ktx is derived from the secret key Kpx, which is also held at the directory server 10.
At Step 16, the mobile device receives the encrypted permanent subscription credentials, decrypts them, and installs them, e.g., within its trusted module 44. This process may include any needed SIM or other software updating. Regardless, the mobile device 32 is now provisioned with permanent subscription credentials, giving the mobile device 32 access to home and visitor wireless communication networks within any limits established by those credentials.
A basic but non-limiting idea that is realized by the above arrangement is that mobile device manufacturers are permitted to initially provision mobile devices 32 in such a way that they can be later activated (permanently provisioned) using over-the-air activation though any number of participating network operators. This arrangement thus allows a mobile device 32 to gain temporary wireless communication network access using preliminary subscription identity information, and then use that access to obtain the address of and connection to a credential server that will provide it with permanent subscription information. Put simply, a potentially large number of different network operators may agree to participate in the described arrangement, and communicatively link their respective wireless communication networks to the directory server 10 (or to any one in a number of different directory servers 10).
Thus, a system and method for facilitating over-the-air mobile communication device activation are presented herein. However, it should be understood that the foregoing description and the accompanying drawings represent non-limiting examples of the methods, systems, and individual apparatuses taught herein. As such, the present invention is not limited by the foregoing description and accompanying drawings. Instead, the present invention is limited only by the following claims and their legal equivalents.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5600708||Aug 4, 1995||Feb 4, 1997||Nokia Mobile Phones Limited||Over the air locking of user identity modules for mobile telephones|
|US5943425||Jul 29, 1996||Aug 24, 1999||Lucent Technologies, Inc.||Re-authentication procedure for over-the-air activation|
|US5956636||Jul 16, 1996||Sep 21, 1999||At&T Wireless Services Inc.||Method and system for automatic activation of a wireless device|
|US6014561 *||May 6, 1996||Jan 11, 2000||Ericsson Inc.||Method and apparatus for over the air activation of a multiple mode/band radio telephone handset|
|US6064879||Jan 3, 1997||May 16, 2000||Fujitsu Limited||Mobile communication method, and mobile telephone switching station customer management system, and mobile unit for implementing the same|
|US6144849||Feb 23, 1998||Nov 7, 2000||Adc Newnet, Inc.||Method and apparatus for over-the-air service provisioning of a mobile telephone|
|US6314283||Apr 28, 1999||Nov 6, 2001||Nec America, Inc.||Cellular phone subsidy lock|
|US6381454||Oct 10, 1996||Apr 30, 2002||Qualcomm Incorporated||Method and system for over-the-air (OTA) service programming|
|US6445914||Sep 8, 1999||Sep 3, 2002||Ericsson, Inc.||Method to perform subsidy protection for TDMA mobile stations|
|US6480710||Jul 16, 1999||Nov 12, 2002||Telemac Corporation||System and method for managing prepaid wireless service|
|US6484022||Sep 7, 1999||Nov 19, 2002||Ericsson Inc.||Wireless communications device having externally controlled transmission of identity|
|US6490445||Jul 19, 2000||Dec 3, 2002||At&T Wireless Services, Inc.||Customer activation system for cellular network|
|US6529729||Nov 7, 2000||Mar 4, 2003||Ulysses Holdings, Llc||Method and apparatus for over-the-air service provisioning of a mobile telephone|
|US6546243||Jan 23, 2002||Apr 8, 2003||Qualcomm, Incorporated||Method and system for over-the-air (OTA) service programming|
|US6549770||May 26, 2000||Apr 15, 2003||Cellco Partnership||Over the air programming and/or service activation|
|US6725033||Aug 23, 2002||Apr 20, 2004||At&T Wireless Services, Inc.||Customer activation system for cellular network|
|US6980660||May 21, 1999||Dec 27, 2005||International Business Machines Corporation||Method and apparatus for efficiently initializing mobile wireless devices|
|US7006831||Sep 27, 2002||Feb 28, 2006||Bellsouth Intellectual Property Corporation||Apparatus and method for providing dynamic communications network traffic control|
|US7035630||Sep 16, 2003||Apr 25, 2006||Research In Motion Limited||Demand-based provisioning for a mobile communication device|
|US7200390||Dec 30, 2004||Apr 3, 2007||Cellco Partnership||Device software update transport and download|
|US20020009199 *||Jun 29, 2001||Jan 24, 2002||Juha Ala-Laurila||Arranging data ciphering in a wireless telecommunication system|
|US20020094808||Jan 23, 2002||Jul 18, 2002||Tiedemann Edward G.||Method and system for over-the-air (OTA) service programming|
|US20030226030||May 30, 2002||Dec 4, 2003||Leon Hurst||Secure content activation during manufacture of mobile communication devices|
|US20040116109||Dec 16, 2002||Jun 17, 2004||Gibbs Benjamin K.||Automatic wireless device configuration|
|US20050079863||Oct 8, 2003||Apr 14, 2005||Macaluso Anthony G.||Over the air provisioning of mobile device settings|
|US20060009217||Jun 28, 2004||Jan 12, 2006||Christoffer Lunden||System and method for product registration and activation|
|US20060030315||Aug 6, 2004||Feb 9, 2006||Christopher Smith||Method and system for provisioning wireless services using SIM information|
|US20060165060||Jan 21, 2005||Jul 27, 2006||Robin Dua||Method and apparatus for managing credentials through a wireless network|
|US20060196931||Sep 28, 2005||Sep 7, 2006||Nokia Corporation||Methods, system and mobile device capable of enabling credit card personalization using a wireless network|
|US20060217111||Feb 13, 2006||Sep 28, 2006||Sunil Marolia||Network for customer care and distribution of firmware and software updates|
|US20070047707||Aug 26, 2005||Mar 1, 2007||Net2Phone, Inc.||IP-enhanced cellular services|
|US20070056042||Dec 30, 2005||Mar 8, 2007||Bahman Qawami||Mobile memory system for secure storage and delivery of media content|
|US20070099599||Oct 27, 2005||May 3, 2007||Christopher Smith||Method and system for provisioning wireless services|
|US20070100652 *||Oct 27, 2006||May 3, 2007||Jorey Ramer||Mobile pay per call|
|US20070112676||Jun 9, 2006||May 17, 2007||Nokia Corporation||Digital rights management in a mobile communications environment|
|US20070129057||Dec 6, 2005||Jun 7, 2007||Chuan Xu||Service provider subsidy lock|
|EP0778716A2||Dec 5, 1996||Jun 11, 1997||AT&T Wireless Services, Inc.||Customer activation system for cellular network|
|EP0820206A2||Jul 15, 1997||Jan 21, 1998||AT&T Wireless Services, Inc.||System and method for automatic registration notification for over-the-air activation|
|EP1645931A1||Oct 11, 2004||Apr 12, 2006||Telefonaktiebolaget LM Ericsson (publ)||Secure loading and storing of data in a data processing device|
|1||3GPP TS 24.008, V7.0.0 (Jun. 2005). 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Mobile radio interface Layer 3 specification; Core network protocols; Stage 3 (Release 7).|
|2||Alves, T. et al. "TrustZone: Integrated Hardware and Software Security." White Paper, ARM. Available at http://www.arm.com/pdfs/TZ-Whitepaper.pdf.|
|3||Alves, T. et al. "TrustZone: Integrated Hardware and Software Security." White Paper, ARM. Available at http://www.arm.com/pdfs/TZ—Whitepaper.pdf.|
|4||Co-pending U.S. Appl. No. 60/913,089, filed Apr. 20, 2007.|
|5||Niemi, V. et al. UMTS Security. Wiley, Jan. 2004. pp. 63-71. ISBN: 978-0-470-84794-7.|
|6||TCG Mobile Trusted Module Specification. Specification version 0.9, Revision 1, Sep. 12, 2006. TCG 2006. Available at www.trustedcomputinggroup.org.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US8285993 *||Apr 22, 2011||Oct 9, 2012||Netapp, Inc.||System and method for establishing a shared secret among nodes of a security appliance|
|US8707022 *||Apr 27, 2011||Apr 22, 2014||Apple Inc.||Apparatus and methods for distributing and storing electronic access clients|
|US9191818||Apr 23, 2012||Nov 17, 2015||Giesecke & Devrient Gmbh||Methods and devices for OTA management of subscriber identity modules|
|US9203620 *||Jan 28, 2009||Dec 1, 2015||Emc Corporation||System, method and apparatus for secure use of cryptographic credentials in mobile devices|
|US9203846 *||Oct 15, 2010||Dec 1, 2015||Interdigital Patent Holdings, Inc.||Registration and credential roll-out for accessing a subscription-based service|
|US9391981||Nov 6, 2015||Jul 12, 2016||Interdigital Patent Holdings, Inc.||Registration and credential roll-out for accessing a subscription-based service|
|US9438600 *||Apr 21, 2014||Sep 6, 2016||Apple Inc.||Apparatus and methods for distributing and storing electronic access clients|
|US9652320||Dec 15, 2014||May 16, 2017||Interdigital Patent Holdings, Inc.||Device validation, distress indication, and remediation|
|US20120260086 *||Apr 27, 2011||Oct 11, 2012||Haggerty David T||Apparatus and methods for distributing and storing electronic access clients|
|US20120278869 *||Oct 15, 2010||Nov 1, 2012||Interdigital Patent Holdings, Inc.||Registration and credential roll-out for accessing a subscription-based service|
|US20140298018 *||Apr 21, 2014||Oct 2, 2014||Apple Inc.||Apparatus and methods for distributing and storing electronic access clients|
|U.S. Classification||380/247, 455/419, 705/76|
|International Classification||H04W12/06, H04W8/26, H04L29/00|
|Cooperative Classification||H04W8/18, G06Q20/3821, H04W12/06, H04W8/265|
|European Classification||H04W8/26A, H04W12/06, G06Q20/3821|
|Jan 23, 2008||AS||Assignment|
Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL), SWEDEN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GEHRMANN, CHRISTIAN;REEL/FRAME:020400/0345
Effective date: 20071216
|Apr 10, 2012||CC||Certificate of correction|
|May 22, 2015||FPAY||Fee payment|
Year of fee payment: 4